Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Email sent to report-phish@tufts.edu will automatically create a ticket in the RT system. RT will notify the Information Security team of the creation of a new ticket.

The Standard Operating Procedure for such user reported phishing tickets is:

  1. The staff member who will attempt to resolve the issue should immediately assign the ticket to themselves.
    1. In RT, press the 'Take' llnk.
  2.  If the ticket is in the 'abuse' queue, click on the "Basics" field in RT and move it to the "uit-user-phish-reports" queue.
  3. If the phishing attempt contains a URL:
    1. Test the URL at the Trend Micro Site Safety Center: http://global.sitesafety.trendmicro.com/### If the URL is not marked as malicious, it will be scheduled to be scanned by Trend Micro.
      1. If detected as malicious, Tufts users with the Trend Micro / OfficeScan AV client will be prohibited from visiting this URL.
    2. Test the URL at the VirusTotal scanner: https://www.virustotal.com/index.html### Click on the "Submit a URL" tab
      1. You may request VirusTotal to re-analyze a page at any time.
      2. VirusTotal will report on the status of the URL from several major anti-malware vendors.
    3. Report the URL and phishing email to PhishTank.com: http://www.phishtank.com/add_web_phish.php### for now, username=benwalther, password=na}e5G.sPA%[VYHc^x.aa@kgTZtZ?(CeUU*$"q
      1. PhishTank reports to OpenDNS and other phishing monitoring services.
    4. Report the URL and Phishing email to Google Report Phish: http://www.google.com/safebrowsing/report_phish/### Google will update StopBadware.org, which is the source for Firefox and IE page-level warnings.
    5. Run a WHOIS query on the URL hostname. Example from a bash shell prompt:whois tufts.edu
    6. Contact the site administrator reported in the WHOIS query, and the relevant "abuse" email address for the domain or registrar (for example, abuse@dot.tk). Send a modified version of the following template on top of the forwarded phishing email: 
      Subject: Phishing abuse at (REPORTED URL) 
      Greetings, 
      You may not yet be aware of the malicious activity at the following URL: (OBFUSCATED VERSION OF REPORTED URL; don't want them to fall victim to their own link) 
      Unfortunately, this URL is being referenced in an email-based phishing attack against users in my organization. Many of our users have received emails directing them to provide their credentials to this illegitimate web form. Can you please investigate the matter and take this page offline if possible and appropriate? 
      Thank you and please let me know if I can provide any further information. 
      (YOUR NAME) 
      Tufts Information Security Operations 
      (617) 627-6070
  4. Note the IP address associated with the URL. Execute an ArcSight Logger query to detect traffic directed at this IP address. Example:destinationAddress = "130.64.205.66"
    1. For each result from the modified query, investigate the owner of the Tufts IP address (check DHCP logs in Splunk, Bluecat/Proteus entries, etc.)
    2. Investigate each user who may have accessed the malicious URL. If any of them are high risk, contact their FSP or contact them directly.
  2. Note the Tufts user who forwarded the phishing email. Send a modified version of the following template. Include any personal touches you think appropriate. 
    Subject: Regarding the "(SUBJECT OF PHISHING EMAIL)" phishing attempt 
    Thank you for notifying information security of the recent phishing attempt.

We depend on your assistance for detecting and responding to these attacks. Reporting them doesn't just help prevent future annoyance, it can help protect your colleagues.

As a response, we've notified StopBadware and Trend Micro that the web page is malicious. If you or anyone else at Tufts uses Google Search, Google Chrome, Firefox, or the Tufts provided anti-virus - you and they should no longer be able to access that page. We've notified (PHISHING URL HOST) that they're hosting a malicious page and requested they remove it or restrict access. We will be monitoring traffic to the (PHISHING URL HOST) IP address to detect when less sophisticated users may be accessing the page (note: we do not see what you submit, just the IP's to which you connect; we do care about privacy here).

You may always forward such phishing attempts to abuse@tufts.edu or report-phish@tufts.edu.

Thanks again,
(YOUR NAME)
Information Security Operations
(617) 627-6070

  1. Resolve the RT ticket. Note that you complied with this procedure.

Notes about this procedure:

  • This is a course first draft.
  • It will need to be updated when RT is updated.
  • It will not scale if we start receiving a higher volume of phishing notifications.
  • It is adequate for the 5-10 notifications per month we receive at the time of writing.

Ideas for future improvements, if needed:

  • Create an RT scrip that logs phishing emails to another server.
  • Create a cron job that checks for new phishing messages, parses them for URLs, and
    • submits them to the reporting agencies
    • reports the reporting agencies findings
    • reports the whois information and prepares a draft email to copy/paste
    • extracts IP info for each URL; executes a logger query / script to detect potential victims; reports their details
    • prepares mail templates?
  • No labels

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.